Audit Logs

Audit records are collected in audit logs. The audit service provides three output modes for audit records.

• Logs that are called audit files store audit records in binary format. The set of audit files from a system or site provides a complete audit record. The complete audit record is called the audit trail. These logs are created by the audit_binfile plugin, and can be reviewed by the praudit and auditreduce post-selection commands.

• The audit_remote plugin streams audit records to a remote repository. The repository is responsible for maintaining an audit trail and supplying post-selection tools.

• The syslog utility collects and stores text summaries of the audit record. A syslog record is not complete. The following example shows a syslog entry for a login audit record:

  Oct 10  10:10:20 example_system auditd: [ID 6472 audit.notice] \
  login - login ok session 4076172534 by root as root:other

A site can configure auditing to collect audit records in all formats. You can configure the systems at your site to use binary mode locally, to send binary files to a remote repository, and to use syslog mode. The following table compares binary audit records with syslog audit records.

Table 1-1  Comparison of Binary, Remote, and syslog Audit Records

Feature Binary and Remote Records syslog Records Protocol Binary – Writes to the file system Remote – Streams to a remote repository Uses UDP for remote logging Data type Binary Text Record length No limit Up to 1024 characters per audit record Location Binary – Stored in a zpool on the system Remote – Remote repository Stored in a location that is specified in the syslog.conf file How to configure Binary – Set the p_dir attribute on the audit_binfile plugin Remote – Set the p_hosts attribute on the audit_remote plugin and make the plugin active Make the audit_syslog plugin active and configure the syslog.conf file How to read Binary – Typically, in batch mode, browser output in XML Remote – Repository dictates the procedure In real time or searched by scripts that you have created for syslog Plain text output Completeness Guaranteed to be complete and to appear in the correct order Not guaranteed to be complete Time stamp Coordinated Universal Time (UTC) Time on the system that is being audited

For more information about plugins and audit logs, refer to the following:

• audit_binfile (5) man page

• audit_syslog (5) man page

• audit.log (4) man page

• How to Assign Audit Space for the Audit Trail

• How to Configure syslog Audit Logs

About Binary Records

Binary records provide the greatest security and coverage. Binary output meets the requirements of security certifications, such as the Common Criteria audit requirements.

The audit_binfile plugin writes the records to a file system that you protect from snooping. On a single system, all binary records are collected and displayed in order. The UTC time stamp on binary logs enables accurate comparison when systems on one audit trail are distributed across time zones. The praudit -x command enables you to view the records in a browser in XML. You can also use scripts to parse the XML output.

The audit_remote plugin writes the records to a remote repository. The repository handles storage and post-selection.

About syslog Audit Records

In contrast, the syslog records might provide greater convenience and flexibility. For example, you can collect the syslog data from a variety of sources. Also, when you monitor audit.notice events in the syslog.conf file, the syslog utility logs an audit record summary with the current time stamp. You can use the same management and analysis tools that you have developed for syslog messages from a variety of sources, including workstations, servers, firewalls, and routers. The records can be viewed in real time, and can be stored on a remote system.

By using syslog.conf to store audit records remotely, you protect log data from alteration or deletion by an attacker. However, consider the following drawbacks to the syslog mode.

• The records are susceptible to network attacks such as denial of service and spoofed source addresses.

• The UDP protocol can drop packets or can deliver packets out of order.

• The 1024 character limit for syslog entries can cause some audit records to be truncated in the log.

• On a single system, not all audit records are collected, and might not be displayed in order.

• Each audit record is stamped with the local system's date and time. Thus, you cannot rely on the time stamp to construct an audit trail for several systems.